Some say we're living in a "post-PC" world, but malware on PCs is still a major problem for home computer users and businesses.

The examples are everywhere: In November, we reported that malware was used to steal information about one of Japan's newest rockets and upload it to computers controlled by hackers. Critical systems at two US power plants were recently found infected with malware spread by USB drives. Malware known as "Dexter" stole credit card data from point-of-sale terminals at businesses. And espionage-motivated computer threats are getting more sophisticated and versatile all the time.

In this second installment in the Ars Guide to Online Security, we'll cover the basics for those who may not be familiar with the different types of malware that can affect computers. Malware comes in a variety of types, including viruses, worms, and Trojans.

Viruses are programs that can replicate themselves in order to spread from computer to computer, while targeting each PC by deleting data or stealing information. They can also change the computer's behavior in some way.

"Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program," Cisco notes. "When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments."

Worms are similar to viruses in that they replicate themselves to spread from machine to machine. Cisco says the main difference is a "worm operates more or less independently of other files, whereas a virus depends on a host program to spread itself." Worms spread easily and are likely to cause harm not just to individual PCs but to entire computer networks. One of the most destructive worms ever unleashed on the Internet was dubbed Slammer, which recently marked its 10-year anniversary.

Trojans do not replicate themselves, unlike viruses and worms. They are named after the Trojan horse of ancient Troy because they disguise themselves as legitimate, harmless programs to convince users to install them. "After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses)," Cisco writes. "Trojans are also known to create back doors to give malicious users access to the system."

Certain types of attacks combine attributes of viruses, worms, and Trojans into "blended threats" that may spread more effectively and be harder to defend against.

In addition to viruses, worms, and Trojans, malware can be divided further into sub-categories such as backdoors, remote access Trojans, information stealers, and ransomware. In his 2012 book "Malware, Rootkits & Botnets: A Beginner's Guide," Security expert Christopher Elisan describes these types of malware:

Backdoors

As their name implies, backdoors let hackers gain sneak attack access to an infected system, bypassing security "through the use of undocumented OS and network functions," Elisan writes. As an example, a backdoor was used to hack into RSA's systems in 2011. This was a targeted attack, gaining a foothold in RSA's network by sending innocent-looking phishing e-mails to workers. The e-mail had a subject line of "2011 Recruitment Plan" and contained an Excel file with an embedded Adobe Flash file that installed the backdoor:

Launching the attachment in Outlook led to the Flash object being executed by Microsoft Excel. By targeting a vulnerability allowing the execution of code, the object dropped a variant of the so-called "Poison Ivy" backdoor onto the RSA computer. Poison Ivy connects back to servers operated by malicious users. "Once the connection is made, the attacker has full remote access to the infected workstation," F-Secure wrote in 2011. "Even worse, it has full access to network drives that the user can access."

Remote Access Trojans

"A remote access Trojan (RAT) is a malicious administrative tool that has backdoor capabilities, enabling an attacker to gain root access to the compromised machine," Elisan writes. "The main difference between a RAT and a traditional backdoor is that the RAT has a user interface, the client component, which the attacker can use to issue commands to the server component residing in the compromised machine."

Thousands of compromised computers can be controlled with remote access Trojans, letting attackers do "almost anything" they want. They can install programs on the infected PC, steal information, or just flat-out destroy the computer.

Information stealers

Diving deeper into malware designed to steal information, Elisan describes keyloggers, desktop recorders, and memory scrapers, which can steal passwords, financial credentials, proprietary data, "or anything that the attackers can use to their advantage or monetize."

A keylogger records the user's keystrokes and "stores them locally for later retrieval, or sends them to a remote server that the attacker has access to." Desktop recorders take periodic screenshots of the desktop, while memory scrapers take information out of a computer's memory while it's being processed. "Data that is processed in memory is unencrypted. This is why this is the best place to grab data," Elisan writes.

Keyloggers can be used for supposedly legitimate purposes, with some companies selling software letting you track the computer activity of family members. This might appeal to parents who want to monitor their children's Internet activity—or to someone who wants to spy on a cheating spouse.

Ransomware

Enlarge/ A typical message displayed on a computer infected by ransomware.

This type of malicious program essentially holds a computer hostage unless the user pays a ransom. The malware might encrypt the PC's data to prevent the user from accessing it. "To have access restored, the user needs to pay a ransom, after which the data will be decrypted by the malware or the user will be provided with a decryption tool and key," Elisan writes. "Or the criminal can just take the money and not bother anymore, leaving the user with the encrypted data and a hole in his pocket."

Similar ends can also be accomplished by locking the user out of the whole system or threatening destruction of the machine with a Trojan.

Ransomware builds on the annoying tradition of viruses bombarding users with popup ads for fake antivirus products. "Ransomware can be considered the successor of fake antivirus malware as the leading cybercrime threat facing consumers," Trend Micro wrote in a report recapping security in 2012. "Both threats cause users to worry about something (i.e., losing important data or downloading malicious files) and asks them to pay up to make the 'problem' go away."

What occurs to me is this. Maybe a stoopid idea. Aside from the usual being careful with incoming email and not displaing images upon arrival therein, there's not much I can do to protect my tablet against malware or to check for malware that's already there. For surely, if there's not some now, somebody'll figure out how to put some there in the future. No?

I think it would help a lot if security researchers would stop coming up with clever new names for threats that really arent that different, or different in a relevant way. It takes forever to educate users on what to look for and how to deal with a threat, and it really isnt helpful when they then are told to watch out for some 'new' thing that they have never heard of but really isnt different.

User: "ive been told to watch out for this 'Phishing' thing but now we have to worry about this 'spear phishing??!!" OMG, what is that? What do i do?'

Answer: same as phishing, its just an attempt to sound clever and coin a new term.

User: "I run a virus scanner to protect against viruses, but now theres these worms? How do i deal with them??"

Answer: By running the same virus scanners.

We should classify our threats based on what the average end user needs to do to counter them, not on what we think sounds nifty.

With the number of applications and programs running on a modern day "regular" user computer, viruses are going to thrive for ever. The amount of loopholes is a gold mine to exploit, and the non-techie people have no chance of catching up. Its a hackers wet dream at the moment and there are big money to be made.

No doubt cyber security is going to be worth more than cannon fodder soldiers in the future. All wars will be digital and the winners are programmers.

One thing I've noticed is how writers tie themselves in knots trying to define viruses, trojans, worms, and all the variants. So much of this stuff is blended together that these old definitions don't fit today's threats very well.

IMHO Elisan's book isn't very good. He gets tied up in those knots as badly as anyone. Remember yesterday's article about Internet safety? Same thing here. It's got its moments, but it's not much help for a computer tech who deals with this stuff every day.

Thanks Ars/Jon. This is much more newbie-digestible than the last installment. I'm going to quote myself from the other article, because I'd like more Security for Noobs 101 that I can point family and friends to.

Clownrazer wrote:

Starting with https/encryption was ok (but may make some eyes glaze over unfortunately), but I'm very surprised there was no mention of password strength, or a link/mention of the subject. Especially since it doesn't seem like that's something that will be covered with the Malware discussion.

2: What to watch for -- suspicious e-mail/bank activity, links (and how to see where they really go), pop-ups, toolbars, malware/adware, browser certificate warnings

3: How to defend -- password practices (is there a way to make LastPass/1Password/etc. sound simple? Which is the easiest for non-techies?), 2part auth, anti-virus/malware (adblock, noscript?), update software, encryption/VPN

I probably left some stuff out, but if the first two "articles" were easy-reads, and the 3rd was basically a check-list that spells out almost exactly how to achieve a more secure digital presence I could see them being useful for years to come -- especially if they were updated when new threats/options arise.

Anyone who has ever played EVE Online will know not to pay the "ransom". Ebil piewats cannot be trusted to uphold their end of the bargain...

Great, now I can start referring to virus / malware infected computers by an appropriate array of, "webbed, scrammed, aggro'd, and OMGWTFBBQ."

On the serious side though, the feds, credit card companies, and other governments need to get ransom-ware under control. It is entirely their responsibility to track down and prevent fraud and similar crimes. Nobody would be writing ransom-ware if there wasn't a good pay check on the other side with little fear of prosecution.

What has saved mobile devices is Apps. Having the ability to better control what gets on the mobile device. PC's and even Mac's have mostly been exploited through email and holes in plugins and most mobile devices don't support many plugins. I would think that will change as hackers become more familiar with mobile OS and making attacks for them .Facebook could be a prime target as users move towards using Facebook and other social sites on mobile devices. Many of them having absolutely no security in place. I see a increase of malware coming but in the form of more targeted malware. Given that China has hacked into Newspapers like the Wall Street Journal just prove they want bigger fish then just throwing out random malware hoping for a bite. I think they are going to target the Facebooks and Banks and governments to get the most effective return for their efforts.

I had this horrible malware infection that would open a browser window in the background and play a radio station. I can't believe that was actually someone's business model. The good folks at spywarehammer.com finally helped me get rid of it. Those people are saints.

I think it would help a lot if security researchers would stop coming up with clever new names for threats that really arent that different, or different in a relevant way. It takes forever to educate users on what to look for and how to deal with a threat, and it really isnt helpful when they then are told to watch out for some 'new' thing that they have never heard of but really isnt different.

User: "ive been told to watch out for this 'Phishing' thing but now we have to worry about this 'spear phishing??!!" OMG, what is that? What do i do?'

Answer: same as phishing, its just an attempt to sound clever and coin a new term.

User: "I run a virus scanner to protect against viruses, but now theres these worms? How do i deal with them??"

Answer: By running the same virus scanners.

We should classify our threats based on what the average end user needs to do to counter them, not on what we think sounds nifty.

Good point about using more generic terminology for the average end user. Most users need to know what phishing is and that a good anti-virus is reasonably effective against malware. The technical differences are not important to them only the effects of having their computers infected.

While I think the article is a good general introduction to some of the malware floating around out there, I wish more focus would have been given on how to avoid or contain malware to begin with. IMO, the most important defense against malware is an educated user, because, let's face it, if someone likes surfing teh free pronz, torrents, or other questionable sites, even the best AV will eventually be compromised. In that vein, the concept of sandboxing your browser or any questionable executable should at least be mentioned, along with how to secure your browser(s).

When the government released the thing about Java.People panicked. It almost sounds shameful to say, but the people who need the news to help protect them from the threats are the ones that are not getting the news necessary to protect them.

I don't know whether to blame the people responsible for trying to educate them, the people for the lack of effort, or the people that bill them for services because its better on the wallet the less someone knows.

And I say that being one of the 1st and 3rd options in the same person. Part of me tries to help the user, but when they walk back into a burning building with a can of gas, after I extinguish the previous flames, I have to just throw my hands up at some point and say its time to pay the stupid tax for not listening.

Graphic would be a little better if you showed who (presumably hacker) sent the commands to the Command and Control center to initiate the DOS attacks... need a line added to clarify. Otherwise, it seems the C&C computers just do their thing without intervention.

Duly noted. But if you sort that by date there was one such headline in mid-2012, one in 2011, and before that the most recent was 2010. Hardly seems like that many, but if people hate it perhaps even once a year is too much.

Duly noted. But if you sort that by date there was one such headline in mid-2012, one in 2011, and before that the most recent was 2010. Hardly seems like that many, but if people hate it perhaps even once a year is too much.

Thank you for considering my feedback. To clarify, it's that I'm a long-time reader who's seen pretty much all of your headlines since 2003, and that search shows the same title scheme used 17 times. I would hope professional writers wouldn't use the same joke over and over again.

Duly noted. But if you sort that by date there was one such headline in mid-2012, one in 2011, and before that the most recent was 2010. Hardly seems like that many, but if people hate it perhaps even once a year is too much.

Thank you for considering my feedback. To clarify, it's that I'm a long-time reader who's seen pretty much all of your headlines since 2003, and that search shows the same title scheme used 17 times. I would hope professional writers wouldn't use the same joke over and over again.

Apple's Mac computers, long seen as safe havens because of their low market share, have also become a bigger target.

It annoys me every time I read someone propagate this popular myth. Macs are not immune from malware, but they are the most secure personal computers made for the masses and their market share is only a small part of the reason why.

iOS has a larger piece of the mobile market share than all others (if you include iPads) and yet iOS has the lowest malware vulnerability of any mass marketed OS. iOS is a subset of the Mac OS, thus the Mac's OS is also very secure, only a little less so in that there is no walled garden, but to say that the whole reason the Mac's OS is secure is due to obscurity is an insult to all of the professionals (Apple and NEXT coders) and hobbyists (BSD coders) who have put a lot of thought and security into the operating system and its roots.

One thing I've noticed is how writers tie themselves in knots trying to define viruses, trojans, worms, and all the variants. So much of this stuff is blended together that these old definitions don't fit today's threats very well.

IMHO Elisan's book isn't very good. He gets tied up in those knots as badly as anyone. Remember yesterday's article about Internet safety? Same thing here. It's got its moments, but it's not much help for a computer tech who deals with this stuff every day.

Completely agree. These terms are getting thrown around all the time, to the point they've almost become buzzwords. Additionally, it's gotten the point where they really aren't even well-defined anymore and their definitions overlap.

For instance, NO definition of Trojan that I've seen before requires that the malware can't reproduce itself. Trojan has always referred to the idea that the malware masquerades as a normal executable. Suddenly, these guys are trying to modify the definition to make the top level "categories" more neat?

It annoys me- maybe even infuriates me- that malware classifications seems so piss-poor: there doesn't really seem to be a clean, hierarchical model to accurately classify each piece of malware, so people (apparently including a lot of security researchers!) just pick a term that seems to apply. Nobody seems to notice that multiple terms apply to a given piece of malware depending on method of delivery, method of concealment, payload type, etc.

It would be nice if the terminology were finally standardized and a hierarchy established. /rant

An ironic observation of mine over the past twenty years is that people who run MacOS or OS X seem to feel they know more about the state of Windows & malware than anyone else, including Windows users... Usually, though, what emerges is simply a lot of FUD that is both laughable for its content and lamentable for its many errors.

I'm not sure why Jon insists on lumping examples of targeted hacking in with general examples of "malware." Anyway--he's in error about that. For instance, there simply isn't any "generalized malware" that people attach to celebrity pics, as just one popular malware vector, that is written to seek out specific rocket designs and upload them to specific servers. Your av program can't help you with something like that, unfortunately. The Japanese rocket designs were specifically targeted and specifically hacked--I cannot call that "malware." Sorry, but that's stretching the definition of "malware" long past anything meaningful or instructive.

Likewise the blurb about reactor computers--if someone deliberately attaches some rampant code to a file on a USB drive and then plugs it into a company server, it will spread unless the server has defenses--and most nuclear reactor computers are festooned with such defenses--and critical systems are generally offline for the expected reasons, anyway. IE, a piece of malware encountered in the wild is not going set off a nuclear chain reaction. Ever. It would actually be fairly difficult if not impossible to deliberately set off a chain reaction inside a working reactor even if you were an employee with the right access and you desired to do so. Too many safeguards.

Likewise, "Dexter" was targeted software designed to target specific POS hardware and software. IE, Point of Sale terminals do not as a rule access the Internet on their own and "pick up" the sort of "malware" that steals credit-card data by way of a specific and fine-tuned methodology. Even if POS terminals could actually access porn on an Internet connection themselves...... a general piece of Internet malware such as is eradicated by an av program would not be able to do what Dexter did. This is another example of targeted hacking--not malware. You correctly ended this section this way:

Quote:

And espionage-motivated computer threats are getting more sophisticated and versatile all the time.

Yes--that's it. But as Donald Duck might say, "That ain't malware, quack!" Espionage is a horse of a different color, and it doesn't matter whether you run Windows servers, OS X servers, or giant mainframes--a targeted hack is designed for specific results from specific combinations of hardware and software. As such, if such defenses as you have are breached you have been hacked. This is an order of magnitude different from "malware" as an average user might encounter it somewhere on the Internet.

Instead of scary, the fact is that personal computers today offer levels of malware security and protection that are historically unsurpassed. Windows Vista and later (Win 7 and Win 8) are exceptionally robust in that regard. In fact, I would say that among personal computer operating systems deployed today, it isn't possible to surpass the malware defenses of Windows 7/8, so long as the end user updates his OS files as made available by Microsoft, and uses an effective malware/av program such as MSE for Windows--Windows 8 includes a more robust version of MSE integrated more tightly into the OS.

On a personal note--I haven't seen an active piece of malware or virus in my systems since 1999. Before I decided to dump Java (long before Apple said anything about it), I did have a couple of pieces of inert malware I found nesting inside a Java-spawned folder after I ran an MSE local scan (running Win7.) The infectious malware was there, but dead in the water because all of my system files had been updated properly so when the malware attempted to propagate it failed because there no longer were any files in my system that it was capable of latching onto. So...the inert malware just sat nested, incapable of harm, until my scan unearthed it and I deleted it.

I don't advise that anyone be flippant about malware, but at the same time people should know that Windows 7 & 8, at least, are extremely well-protected against generalized malware as is sometimes encountered on the Internet. You have to update your files regularly, and use a decent malware av program, of course. Couple that with a bit of prudence as to where you go on the Internet and what you run--I'm so used to UAC now that I feel naked without it--and you really should have little to no problems. I take my own advice and so that's how I know...

An ironic observation of mine over the past twenty years is that people who run MacOS or OS X seem to feel they know more about the state of Windows & malware than anyone else, including Windows users... Usually, though, what emerges is simply a lot of FUD that is both laughable for its content and lamentable for its many errors.

Most people running MacOS are, were, or have been Windows users also. I started scientific professional life as part-time IT support (they didn't yet have full time science work for me) and I was a windows user, but I switched when I discovered the Mac that half of the scientists at my facility were using but rarely called me to repair their systems (because they didn't need repairs or wipes due to virus infections or corrupted files). I still use Windows on a regular basis as most instrumentation requires Windows-only programs to operate.

WaltC wrote:

Instead of scary, the fact is that personal computers today offer levels of malware security and protection that are historically unsurpassed. Windows Vista and later (Win 7 and Win 8) are exceptionally robust in that regard. In fact, I would say that among personal computer operating systems deployed today, it isn't possible to surpass the malware defenses of Windows 7/8, so long as the end user updates his OS files as made available by Microsoft, and uses an effective malware/av program such as MSE for Windows--Windows 8 includes a more robust version of MSE integrated more tightly into the OS.

You speak of FUD, but "personal computers offer levels of malware security and protection that are historically unsurpassed" is a statement that while it doesn't spread fear, uncertainty, or doubt, it is just as untruthful as the worst FUD I have read. Why don't you recommend operating your Win 7 or Win 8 machine without "an effective malware/av program?"

I have read many professional analysts say that running MacOS without malware/av programs isn't a problem and may even be wanted as most malware/av programs scavenge processor cycles and most malware vendors have been relatively slow to fix problems with Mac antivirus programs. I personally use ClamXav, but only to be a good net citizen and not pass on any infected emails to my friends, I still have good reason to not worry about my computer getting infected even if I didn't use ClamXav. And while market share helps, it is not the only reason MacOS has lower malware risk as we can see with iOS (a subset of OS X) which has a dominant market share and effectively no malware risk or more correctly the least malware risk among mobile os's.

WaltC wrote:

I don't advise that anyone be flippant about malware, but at the same time people should know that Windows 7 & 8, at least, are extremely well-protected against generalized malware as is sometimes encountered on the Internet. You have to update your files regularly, and use a decent malware av program, of course. Couple that with a bit of prudence as to where you go on the Internet and what you run--I'm so used to UAC now that I feel naked without it--and you really should have little to no problems. I take my own advice and so that's how I know...

You forgot your previous caveat: Windows 7&8 is well-protected IF you use an effective malware/av program and keep your system updated. (I agree that all systems should be kept updated.)

Again, Mac OS X is well-protected even if you don't use malware/av programs. And due to the walled garden, iOS is even better protected than them all. The proof is in the pudding. OS X has been a minority OS since the year 2000, but it has been largely immune from a remote malware attack. iOS has been a dominant mobile OS and nearly 100% immune to all malware (on non-jail broken devices) since 2007. {The only exception to these statements is the social engineering Trojan will still get a Mac or iOS user if they are dumb enough to click through the installation request.} How many more years of these excellent track records do we need before people start seeing the truth? No OS is 100% secure, but there are some that are better than the rest and definitely better than Windows, even as good as Windows 7&8 have become, there are other OS's that are still better maybe even WAY better.

Viruses, Trojans, and worms, oh my: The basics on malwareMobile malware may be trendy, but PC malware is still the big problem.

Viruses, Trojans, and worms, oh my: The basics on malwareMobile malware may be trendy, but Windows malware is still the big problem.

There. I fixed it for you.

Viruses, Trojans, and worms, oh my: The basics on malwareMobile malware may be trendy, but majority market share OS malware is still the big problem.

There. I fixed it for *you*.

That's cute. Windows doesn't have majority marketshare on servers.

Telling yourself and the gullible that "Windows only gets all the malware because nobody's going to write viruses for obscure platforms!" is completely debunked by that fact alone. "Yeah, nobody wants to screw with actual servers like they want to get into your all-important personal computer. "

I'm not sure that the graphic shown on the second page of this article is really accurate. As far as I know, some of the attacks (shellcode-related attacks for example, which are at the bottom of the graphic) are less likely to be detected and therefore create inaccurate data in such graphics.In the case of the shellcode-related attacks, as far as I understand, the shellcode is usually inserted in memory thanks to a buffer-overflow attack. Once the software developers are aware of the overflow vulnerability, they patch it, but it gives an inaccurate idea of how many times the flaw was used : indeed the shellcode can then lead to many different usage of the target, and one cannot easily know what it was used for because the further payloads, once the shellcode has been executed, can be anything. However with classic malware (let's say old good viruses), once an antivirus company nailed it, they get much more accurate numbers thanks to the fact that all the infected computers will report the infection to the antivirus company once it has been detected

Please correct me if I'm wrong ! I'm far from an expert and would love to receive some validation about what I just wrote

Apple's Mac computers, long seen as safe havens because of their low market share, have also become a bigger target.

It annoys me every time I read someone propagate this popular myth. Macs are not immune from malware, but they are the most secure personal computers made for the masses and their market share is only a small part of the reason why.

iOS has a larger piece of the mobile market share than all others (if you include iPads) and yet iOS has the lowest malware vulnerability of any mass marketed OS. iOS is a subset of the Mac OS, thus the Mac's OS is also very secure, only a little less so in that there is no walled garden, but to say that the whole reason the Mac's OS is secure is due to obscurity is an insult to all of the professionals (Apple and NEXT coders) and hobbyists (BSD coders) who have put a lot of thought and security into the operating system and its roots.

iOS is not even in the same category of operating systems as desktop Windows. You should compare it with Windows Phone (still not the same, but much closer).Apple knows what letting users do whatever they want means, that's why in the latest OSX by default you can't install software from outside of the Mac App Store. I guess they don't share with you the same confidence regarding the inherent security of Mac OS, so they decided to take this extra step.

But you're right in saying that market share is not the only reason. Another--perhaps equally important--reason is accessibility. Everyone can start writing software/malware for Windows with pretty much zero costs. Writing for Mac OS and iOS, not so, since at the very least you'd need a Mac to develop on (and pay a yearly developer fee to submit apps to the App Store). Also, with desktop Windows you have 10-15 years of backwards compatibility, which is not there with Mac OS.

Engelsstaub wrote:

That's cute. Windows doesn't have majority marketshare on servers.

Again, you're making an inappropriate comparison. Servers and desktops have both different users and different uses.The malware issues affecting desktop Windows are pretty much non-existent on Windows servers.

That said, I'm not defending Windows. There have been some very stupid security issues in the past (Autorun, anyone?), the admin/standard user separation wasn't promoted enough and, yeah, I think the average user is still more likely to get malware with Windows than with most other OSs, for various reasons. But most of these reasons are directly or indirectly related to the market share, accessibility and the user freedom to tinker with the system. So we have different OSs with different users and usages. Keep this in mind when making comparisons.